WebKit - WebCore::Style::TreeResolver::styleForElement Use-After-Free

WebKit - WebCore::Style::TreeResolver::styleForElement Use-After-Free function eventhandler1 try txt.appendChildkg; catche function eventhandler2 try anim.appendChildkg; catche function eventhandler3 try table.scrollIntoViewtrue; catche a !--...

KMPlayer 4.2.2.4 - Denial of Service

KMPlayer 4.2.2.4 - Denial of Service ! /usr/bin/perl Exploit Title: KMPlayer .nsv Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v4.2.2.4 Tested on: Windows 10 , Windows 7 other version should be affected NSV is Streaming video container format developed by Nullsoft; used fo...

WebKit - WebCore::PositionIterator::decrement Use-After-Free

WebKit - WebCore::PositionIterator::decrement Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1346 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

WebKit - WebCore::RenderText::localCaretRect Out-of-Bounds Read

WebKit - WebCore::RenderText::localCaretRect Out-of-Bounds Read / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1348 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

WebKit - WebCore::InputType::element Use-After-Free (2)

WebKit - WebCore::InputType::element Use-After-Free 2 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

WebKit - WebCore::AXObjectCache::performDeferredCacheUpdate Use-After-Free

WebKit - WebCore::AXObjectCache::performDeferredCacheUpdate Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1347 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility...

Winamp Pro 5.66.Build.3512 - Denial of Service

Winamp Pro 5.66.Build.3512 - Denial of Service ! /usr/bin/perl Exploit Title: Winamp Pro .wav|.wmv|.au|.asf|.aiff|.aif Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v5.66.Build.3512 Tested on: Windows 10 , Windows 7 other version should be affected CVE-2017-16951...

WebKit - WebCore::RenderObject::previousSibling Use-After-Free

WebKit - WebCore::RenderObject::previousSibling Use-After-Free .class9 column-span: all; function f document.execCommand"indent", false; var var00031 = window.getSelection.setBaseAndExtentsum,16,null,6; f; !-- ================================================================= ASan log:...

WebKit - WebCore::DocumentLoader::frameLoader Use-After-Free

WebKit - WebCore::DocumentLoader::frameLoader Use-After-Free function go iframe.name = "foo"; var form = document.createElement"form"; iframe.src = "data:text/html,foo"; form.submit; window.onbeforeunload = f; function f document.head.appendChilddel; ::get...

WebKit - WebCore::FormSubmission::create Use-After-Free

WebKit - WebCore::FormSubmission::create Use-After-Free function jsfuzzer textarea1.setRangeText"foo"; textarea2.autofocus = true; textarea1.name = "foo"; form.insertBeforetextarea2, form.firstChild; form.submit; function eventhandler2 forvar i=0;i a b !--...

WebKit - WebCore::TreeScope::documentScope Use-After-Free

WebKit - WebCore::TreeScope::documentScope Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1344 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

WebKit - WebCore::SimpleLineLayout::RunResolver::runForPoint Out-of-Bounds Read

WebKit - WebCore::SimpleLineLayout::RunResolver::runForPoint Out-of-Bounds Read / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1349 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

Vonage VDV-23 - Denial of Service

Vonage VDV-23 - Denial of Service Overview During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis will be performed to...

Microsoft Windows 10 - nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry) Pool Memory Disclosure

Microsoft Windows 10 - nt!NtQueryDirectoryFile luafv!LuafvCopyDirectoryEntry Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1361 We have discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode...

DblTek - Multiple Vulnerabilities

DblTek - Multiple Vulnerabilities Vulnerabilities summary The following advisory describes 2 two vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Ou...

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass

Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypa...

iOS 11.1 tvOS 11.1 watchOS 4.1 - Denial of Service

iOS 11.1 tvOS 11.1 watchOS 4.1 - Denial of Service Exploit Title: TpwnT - iOS Denail of Service POC Date: 10-31-2017 Exploit Author: Russian Otter Ro Vendor Homepage: https://support.apple.com/en-us/HT208222 Version: 2.1 Tested on: iOS 10.3.2 - 11.1 CVE: CVE-2017-13849 """ -----------------------...

Microsoft Office - OLE Remote Code Execution

Microsoft Office - OLE Remote Code Execution Source: https://github.com/embedi/CVE-2017-11882 CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research:...

Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting

Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting Exploit Title: Icon Time Systems RTC-1000 alert"xss"; ========================================================== PROOF OF CONCEPT - With valid credentials that has permissions to modify the employee records, access the emplo...

Zeta Components Mail 1.8.1 - Remote Code Execution

Zeta Components Mail 1.8.1 - Remote Code Execution Vendor: Zeta Components module: Mail, returnPath-email”; If attacker assign email address like: '[email protected] -X/var/www/html/cache/exploit.php' and inject payload in mail body, sendmail will transfer log-X into...

Vonage VDV23 - Cross-Site Scripting

Vonage VDV23 - Cross-Site Scripting Exploit Title: Vonage Home Router – Stored Xss Date: 16/11/2017 Exploit Author: Nu11By73 Hardware Version: VDV-23: 115 Software Version: 3.2.11-0.9.40 CVE : CVE-2017-16843 NewKeyword Parameter: 1. Login to the router 2. Click advanced setup 3. Click parental...

LanSweeper 6.0.100.75 - Cross-Site Scripting

LanSweeper 6.0.100.75 - Cross-Site Scripting LanSweeper - Cross Site Scripting and HTMLi Title: Vulnerability in LanSweeper Date: 16-11-2017 Status: Vendor contacted, patch available Author: Miguel Mendez Z Vendor Homepage: http://www.lansweeper.com Version: 6.0.100.75 CVE: CVE-2017-16841...

VX Search 10.2.14 - Proxy Local Buffer Overflow (SEH)

VX Search 10.2.14 - Proxy Local Buffer Overflow SEH !/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version :...

Microsoft Edge - Object.setPrototypeOf Memory Corruption

Microsoft Edge - Object.setPrototypeOf Memory Corruption ,1::FindEntry+0x41: 00007fffe2b7c841 8b0c81 mov ecx,dword ptr rcx+rax4 ds:0000023b4a2ea4c4=???????? 0:015 k Child-SP RetAddr Call Site 00 000000be563fbba0 00007fffe2f52e3e chakra!JsUtil::WeaklyReferencedKeyDictionary,1::FindEntry+0x41 01...

Microsoft Edge Chakra: JIT - OP_Memset Type Confusion

Microsoft Edge Chakra: JIT - OPMemset Type Confusion / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357 function opta, b, v if b.length b0 = ; return 0; ; printb0; main;...

Microsoft Edge Chakra JIT - Type Confusion with switch Statements

Microsoft Edge Chakra JIT - Type Confusion with switch Statements / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1341&desc=3 Let's start with a switch statement and its IR code for JIT. JS: for let i = 0; i ; 100; i++ switch i case 2: case 4: case 6: case 8: case 10: case 12:...

Microsoft Edge Chakra: JIT - Lowerer::LowerBoundCheck Incorrect Integer Overflow Check

Microsoft Edge Chakra: JIT - Lowerer::LowerBoundCheck Incorrect Integer Overflow Check / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343 Here's a snippet of the method. void Lowerer::LowerBoundCheckIR::Instr const instr ... ifrightOpnd-IsIntConstOpnd IntConstType newOffset;...

TP-Link TL-WR740N - Cross-Site Scripting

TP-Link TL-WR740N - Cross-Site Scripting Exploit Title: XSS Vuln - TP-LINK TL-WR740N Date: 15/11/2017 Exploit Author: bl00dy Vendor Homepage: http://www.tp-link.com Version: TP-LINK TL-WR740N - 3.17.0 Build 140520 Rel.75075n Tested on: Windows 8.1 Cross-site scripting XSS in TP-LINK TL-WR740N Pro...

3FENuTjTYEORL89

A Remote Browser's Agent XSS is a piece of software that allows a remote "operator" to control a browser as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "XSS" software is usually associated with criminal or malicious activity...

CommuniGatePro 6.1.16 - Cross-Site Scripting

CommuniGatePro 6.1.16 - Cross-Site Scripting Exploit Title: CommuniGatePro webmails Multiple Stored XSS Date: 15/11/2017 Exploit Author: Boumediene KADDOUR Unit: Algerie Telecom R&D Unit Vendor Homepage: https://www.stalker.com/ Software Link: http://www.stalker.com/ paid product Version: 6.1.16...

D-Link DIR-605L 2.08 - Denial of Service

D-Link DIR-605L 2.08 - Denial of Service Exploit Title: D-Link DIR605L ROUTER=$1 if "$" -ne 1 ; then echo "usage: $0 " exit fi curl http://$ROUTER/Tools/...

Dup Scout Enterprise 10.0.18 - Login Remote Buffer Overflow

Dup Scout Enterprise 10.0.18 - Login Remote Buffer Overflow Tested on Windows 10 x86 The application requires to have the web server enabled. Exploit for older version: https://www.exploit-db.com/exploits/40832/ !/usr/bin/python import socket,os,time,struct,argparse parser = argparse.ArgumentPars...

PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection Use-After-Free

PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection Use-After-Free X41 D-Sec GmbH Security Advisory: X41-2017-006 Multiple Vulnerabilities in PSFTPd Windows FTP Server ===================================================== Overview -------- Confirmed Affected Versions: 10.0.4 Build 729...

IKARUS anti.virus 2.16.7 - ntguard_x64 Local Privilege Escalation

IKARUS anti.virus 2.16.7 - ntguardx64 Local Privilege Escalation / Exploit Title - IKARUS anti.virus Arbitrary Write Privilege Escalation Date - 13th November 2017 Discovered by - Parvez Anwar @parvezghh Vendor Homepage - https://www.ikarussecurity.com/ Tested Version - 2.16.7 Driver Version -...

Ulterius Server 1.9.5.0 - Directory Traversal

Ulterius Server 1.9.5.0 - Directory Traversal Exploit Title: Ulterius Server 1.9.5.0 Directory Traversal Arbitrary File Access Date: 11/13/2017 Exploit Author: Rick Osgood Vendor Homepage: https://ulterius.io/ Software Link:...

Kirby CMS 2.5.7 - Cross-Site Scripting

Kirby CMS 2.5.7 - Cross-Site Scripting Exploit Title: KirbyCMS 2.5.7 Stored Cross Site Scripting Vendor Homepage: https://getkirby.com/ Software Link: https://getkirby.com/try Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince...

Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload

Web Viewer 1.0.0.193 Samsung SRN-1670D - Unrestricted File Upload Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D Date: 2017-06-19 Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com Vendor Homepage: https://www.hanwhasecurity.com...

MyBB 1.8.13 - Remote Code Execution

MyBB 1.8.13 - Remote Code Execution Exploit Title: RCE in MyBB up to 1.8.13 via installer Date: Found on 05-29-2017 Exploit Author: Pablo Sacristan Vendor Homepage: https://mybb.com/ Version: Version 1.8.13 Fixed in 1.8.13 CVE : CVE-2017-16780 This RCE can be executed via CSRF but doesn't require...

osCommerce 2.3.4.1 - Arbitrary File Upload

osCommerce 2.3.4.1 - Arbitrary File Upload Exploit Title: osCommerce 2.3.4.1 Authenticated Arbitrary File Upload Date: 11.11.2017 Exploit Author: Simon Scannell - https://scannell-infosec.net Vendor Homepage: https://www.oscommerce.com/ Software Link:...

MyBB 1.8.13 - Cross-Site Scripting

MyBB 1.8.13 - Cross-Site Scripting Exploit Title: XSS in MyBB up to 1.8.13 via installer Date: Found on 05-29-2017 Exploit Author: Pablo Sacristan Vendor Homepage: https://mybb.com/ Version: Version 1.8.13 Fixed in 1.8.13 CVE : CVE-2017-16781 No HTML escaping when returning an $error in...

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: =======...

Microsoft Internet Explorer 11 - jscript!JsErrorToString Use-After-Free

Microsoft Internet Explorer 11 - jscript!JsErrorToString Use-After-Free var e = new Error; var o = toString:function //alert'in toString'; e.name = 1; CollectGarbage; //reallocate forvar i=0;i !-- ========================================= This is a use-after-free in jscript!JsErrorToString that c...

PHP 7.1.8 - Heap Buffer Overflow

PHP 7.1.8 - Heap Buffer Overflow Description: ------------ A heap out-of-bound read vulnerability in timelibmeridian can be triggered via wddxdeserialize or other vectors that call into this function on untrusted inputs. $ /php-7.1.8/sapi/cli/php --version PHP 7.1.8 cli built: Aug 9 2017 21:42:13...

pfSense 2.3.1_1 - Command Execution

pfSense 2.3.11 - Command Execution Exploit Title: pfSense User Manager--Groups in the handling of the members parameter. This allows an authenticated WebGUI user with privileges for systemgroupmanager.php to execute commands in the context of the root user. 2. Proof of Concept...

Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)

Xlight FTP Server 3.8.8.5 - Buffer Overflow PoC !/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: Xlight FTP Server x86/x64 - Buffer Overflow Crash PoC Date: 07-11-2017 Vulnerable Software: Xlight FTP Server v3.8.8.5 x86/x64 Vendor Homepage: http://www.xlightftpd.com/ Version:...

Ametys CMS 4.0.2 - Password Reset

Ametys CMS 4.0.2 - Password Reset Vulnerability Summary The following advisory describes a password reset vulnerability found in Ametys CMS version 4.0.2 Ametys is “a free and open source content management system CMS written in Java. It is based on JSR-170 for content storage, Open Social for...

ManageEngine Applications Manager 13 - SQL Injection

ManageEngine Applications Manager 13 - SQL Injection ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities. Proof of Concept 1 name= parameter is susceptible: POST /manageApplications.do?method=insert HTTP/1.1 Host: 192.168.1.190:9090...

Linux Kernel 4.13 (Ubuntu 17.10) - waitid() SMEPSMAPChrome Sandbox Privilege Escalation

Linux Kernel 4.13 Ubuntu 17.10 - waitid SMEPSMAPChrome Sandbox Privilege Escalation // Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13 // By Chris Salls twitter.com/chrissalls // This exploit can be used to break out out of sandboxes such as that in google chrome // In thi...

SMPlayer 17.11.0 - .m3u Buffer Overflow (PoC)

SMPlayer 17.11.0 - .m3u Buffer Overflow PoC !/usr/bin/python Exploit Author: bzyo Twitter: @bzyo Exploit Title: SMPlayer 17.11.0 - '.m3u' Crash PoC Date: 05-11-2017 Vulnerable Software: SMPlayer v17.11.0 Vendor Homepage: http://www.smplayer.info Version: v17.11.0 Software Link:...

Avaya IP Office (IPO) 10.1 - ActiveX Buffer Overflow

Avaya IP Office IPO 10.1 - ActiveX Buffer Overflow + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-IPO-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt + ISR: ApparitionSec Vendor: =============...